NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
6.4.4<br />
Locati<strong>on</strong> of Server-Side C<strong>on</strong>tent Generators<br />
The locati<strong>on</strong> of active c<strong>on</strong>tent <strong>on</strong> the <strong>Web</strong> server is critical. If located in an incorrect directory or in a<br />
directory with the wr<strong>on</strong>g permissi<strong>on</strong>s, it can quickly lead to the compromise of the <strong>Web</strong> server. To avoid<br />
this problem—<br />
Writable files should be identified and placed in separate folders. No script files should exist in<br />
writable folders. As an example, guest book data is usually saved in simple text files. These files<br />
need write permissi<strong>on</strong>s for guests to be able to submit their comments.<br />
Executable files (e.g., CGI, .EXE, .CMD, and PL) should be placed in separate folders. No other<br />
readable or writable documents should be placed in these folders.<br />
Script files (e.g., ASP, PHP, and PL) should have separate folders. It may also be beneficial to store<br />
the scripts in a folder with a n<strong>on</strong>-obvious name (e.g., not “Scripts”) to make it more difficult for an<br />
attacker to find the scripts through direct browsing.<br />
Include files (e.g., INC, SHTML, SHTM, and ASP) created for code reusability should be placed in<br />
separate directories. SSI should not generally be used <strong>on</strong> public <strong>Web</strong> servers. ASP include files<br />
should have an .asp extensi<strong>on</strong> instead of .inc. Note that much of the risk with include files is in their<br />
execute capability. If the execute capability is disabled, this risk is drastically reduced.<br />
6.4.5<br />
Cross-Site Scripting Vulnerabilities<br />
Cross-site scripting (XSS) is a vulnerability typically found in interactive <strong>Web</strong> applicati<strong>on</strong>s that allows<br />
code injecti<strong>on</strong> by malicious <strong>Web</strong> users into the <strong>Web</strong> pages viewed by other users. It generally occurs in<br />
<strong>Web</strong> pages that do not do the appropriate bounds checking <strong>on</strong> data input by users. An exploited cross-site<br />
scripting vulnerability can be used by attackers to compromise other users’ computers or to receive data<br />
from another user’s <strong>Web</strong> sessi<strong>on</strong> (e.g., user ID and password or sessi<strong>on</strong> cookie). Thus, although this is a<br />
client side exploit, it also impacts the server indirectly since a compromised user, particularly <strong>on</strong>e with<br />
elevated privileges, represents a threat to the server. XSS vulnerabilities are used frequently to c<strong>on</strong>duct<br />
phishing attacks or exploit <strong>Web</strong> browser vulnerabilities to gain c<strong>on</strong>trol of end user PCs.<br />
XSS vulnerabilities are highly varied and frequently unique to a particular <strong>Web</strong> applicati<strong>on</strong>. They<br />
encompass two general categories:<br />
Persistent XSS vulnerabilities allow for the more powerful attacks. This vulnerability occurs when<br />
data provided to a <strong>Web</strong> applicati<strong>on</strong> by an untrusted user is stored persistently <strong>on</strong> the server and<br />
displayed to other users as <strong>Web</strong> c<strong>on</strong>tent but is not validated or encoded using HTML. A comm<strong>on</strong><br />
example of this is <strong>on</strong>line message boards, wikis, and blogs where users are allowed to post HTMLformatted<br />
messages for other users to view. In this example, after a malicious user posts a malicious<br />
message or reply, any other user who accesses a page displaying that data and whose browser is<br />
vulnerable to the exploit can be compromised.<br />
N<strong>on</strong>-persistent XSS vulnerabilities, sometimes called reflected, are more comm<strong>on</strong> and somewhat<br />
less dangerous than persistent vulnerabilities. N<strong>on</strong>-persistent vulnerabilities occur when data<br />
provided by a <strong>Web</strong> client is used immediately by server-side scripts to generate a results page for that<br />
user (e.g., login screen, search results page). If the unvalidated client-supplied data is included in the<br />
returned page without any HTML encoding, this will allow client-side code to be injected into the<br />
dynamic page. This might not appear to be a problem <strong>on</strong> the surface, since an attacker can <strong>on</strong>ly<br />
exploit himself or herself. However, an attacker could send a specially crafted URL to a user and<br />
6-17